[ad_1]
The cost, hassle, and fines to DCs for ransomware attacks and ransomware removal
Every month, the risk of closing your office forever (or a doctor of chiropractic or other healthcare organization having to spend an average of $ 158,000 in fines and remedies for ransomware removal) from a ransomware attack continues to grow. This year is already proving to be another record, with a massive increase in attacks against small and medium-sized chiropractic and healthcare practices.
A successful ransomware attack is a violation of HIPAA
A ransomware attack is also an automatic violation of the Health Insurance Portability and Accountability Act (HIPAA), as these attacks cannot be successful if you follow all HIPAA rules, including the required documented and formalized policies, risk analysis and mitigation plans.
The only chance of protection against a ransomware attack is prevention. Having a comprehensive HIPAA program in place and monitoring it closely is the only way to help prevent these attacks. When I started traveling to teach HIPAA in 2010 (currently teaching 40 state associations and four chiropractic colleges), there were major issues regarding HIPAA compliance on the horizon for chiropractors, but nothing like it. we see it today.
At that time, no one had heard of ransomware attacks, whereas today I am often contacted by 2-4 chiropractors per month who have been affected by ransomware and are petrified by the devastation of the practice. , ransomware removal, potential HIPAA fines and their required interactions with government law enforcement agencies.
Cybersecurity = HIPAA
In healthcare, everything you hear about cybersecurity news – that is, every time you turn on the news – needs to be changed, in your mind, to HIPAA, because in the healthcare world, HIPAA stands for cybersecurity.
It is the law that dictates what we are required to do, as covered entities, under HIPAA law, to prevent cyber attacks. The world has changed, and if you don’t, you’ll be swallowed up – unfortunately more and more chiropractors are experiencing the same phenomenon.
The national average cost to resolve a ransomware attack is $ 158,000. Chiropractic practices and other primary care practitioners are typically smaller in institutional size, and typical costs, including ransomware removal, are in the range of $ 90,000 or less, but this can still shut down many practices. Prevention is the key.
Some take the attitude, ‘Let them come after me. If I am affected, I will close and declare bankruptcy! Unfortunately, this can avoid some costs, but government fines are like the actions of the IRS and are generally not acquitted in bankruptcy.
Ransomware removal, losses and breaches
About 89% of all cyber attacks are now ransomware. When you encounter a ransomware attack, you usually come to your desktop, start your computer to start the new day, and there is nothing on your computer screen except a message that says : “We have your data”.
If it’s “militarized ransomware,” they’ve probably had this “worm” or virus on your hard drive for a long time, not just that day, and they’ve probably captured your backup data as well – that’s is why backing up your data (and even keeping copies of old backups) is important.
They will also ask for a certain amount of money to get your data back and then give you a time limit for payment. Example: “In the next five hours, it will cost you $ 10,000 to get your data back, and if you don’t pay within five hours, it will go up to $ 20,000, and if you don’t provide that within. 24 hours we will publish / sell your data on the dark web and you will never see it again.
Brick your computer
Along with armed ransomware, they may also have the ability to destroy your computer remotely.
So let’s say you decide to pay $ 15,000 to get your information back. This is the start of your money problems. This is a violation of HIPAA because, if you had a HIPAA program in place and followed the legally required policies and rules, you likely would not have succumbed to a ransomware attack.
You are supposed to know this and therefore this type of violation can be declared “willful negligence”, and if it is willful negligence, a minimum fine of $ 59,255 (they can also add damages- punitive interests, if they wish). You may also be required to pay for expenses incurred by your patients to monitor their credit. If 1,000 patients were raped, which would cost you $ 10 per month for a year, that would equal $ 10,000 per month.
You will also have to face the costs of a forensic examination by computer experts to determine who and how many patients have been raped etc. This can easily cost $ 10-20,000, and when it comes to ransomware removal, you’re likely going to need some new software and hardware replacements. You can easily see how quickly the costs can increase and how devastating such an attack can be if not avoided.
You have a responsibility to protect the private information of patients, especially when that information enters cloud-based systems or someone else’s server or somewhere other than your office. You need to make sure that this information is not violated and create a reason for a patient to say, “Hey, I think you mismanaged my information and I am filing a complaint with the government.”
Monitor your data associations
When working with an EHR company’s electronic medical record storage (even if the information is stored on-site or in your office), if the company has access to your data, it is considered a business partner.
If said business associate does not protect the information you provide to them, and something is wrong and that information is violated, then you, the doctor, are responsible, unless you have a BAA (BAA). business associate) in place. You are solely responsible and responsible for protecting your data, so this is an essential requirement under HIPAA law.
There is always a human component when information is breached – someone has done what they shouldn’t be doing, or not done what they should be doing. We all want to protect our patient information, just like you want your data to be protected when you go to the dentist etc. If you don’t have a strong HIPAA program in place, what will your defensible position be when the government comes knocking on the door? “I didn’t know” doesn’t work.
New CARES ACT, HIPAA regulation
As of this writing, a new CARES ACT law is coming into effect, along with new HIPAA regulations. These mainly relate to the new fines and requirements regarding the blocking of information from patients who have requested it.
You must have a defensible program in place or you will be fined to death. By law, the government must investigate every complaint, and they’re currently two years overdue, which means you could be in trouble now and not know it for another two years.
Why do you want to lose sleep at night because of this? Start a HIPAA program now.
I am constantly amazed by the increase in the number of ransomware attacks. They are growing faster and faster and this is made worse by the fact that many who are attacked do not take massive, immediate action to fix the problem – and once a practice is attacked, there is 95% more. chances are they will be attacked again.
I still travel to the United States and even today I find chiropractors, doctors, and dentists not doing what they need to do to put their data security and HIPAA program in place. They think, “Well I’m fine because I have training once a year where I talk about HIPAA and patients sign press releases and I think we’re probably fine. It’s time to face the facts – hiding your head in the sand in these modern times just makes your practice a bigger target.
TY TALCOTT, DC, CHPSE, is a HIPAA Certified Privacy and Security Expert (CHPSE) and President of HIPAA Compliance Services. He has been a consultant for thousands of healthcare practices relating to business development and protection. He can be contacted at (469) 371-8804 or at DrTyTheComplianceGuy.com.
[ad_2]
